Permalink
Browse files

Revert "Prevent config.h from being clobbered"

This reverts commit 28bba8c.
  • Loading branch information...
edolstra committed Mar 8, 2013
1 parent e73d9e9 commit bdd4646338da296fdf3a8f9dc3cf5aff1dafa163
View
@@ -1,17 +1,17 @@
with import <nix/config.nix>;
-{system ? builtins.currentSystem, url, outputHash ? "", outputHashAlgo ? "", md5 ? "", sha1 ? "", sha256 ? ""}:
+{system ? builtins.currentSystem, url, outputHash ? "", outputHashAlgo ? "", md5 ? "", sha1 ? "", sha256 ? "", executable ? false}:
assert (outputHash != "" && outputHashAlgo != "")
|| md5 != "" || sha1 != "" || sha256 != "";
let
builder = builtins.toFile "fetchurl.sh"
- ''
+ (''
echo "downloading $url into $out"
${curl} --fail --location --max-redirs 20 --insecure "$url" > "$out"
- '';
+ '' + (if executable then "${coreutils}/chmod +x $out" else ""));
in
@@ -25,6 +25,7 @@ derivation {
if sha256 != "" then "sha256" else if sha1 != "" then "sha1" else "md5";
outputHash = if outputHash != "" then outputHash else
if sha256 != "" then sha256 else if sha1 != "" then sha1 else md5;
+ outputHashMode = if executable then "recursive" else "flat";
inherit system url;
@@ -1,33 +0,0 @@
-To produce a `stable' release from the trunk:
-
--1. Update the release notes; make sure that the release date is
- correct.
-
-0. Make sure that the trunk builds in the release supervisor.
-
-1. Branch the trunk, e.g., `svn cp .../trunk
- .../branches/0.5-release'.
-
-2. Switch to the branch, e.g., `svn switch .../branches/0.5-release'.
-
-3. In `configure.ac', change `STABLE=0' into `STABLE=1' and commit.
-
-4. In the release supervisor, add a one-time job to build
- `.../branches/0.5-release'.
-
-5. Make sure that the release succeeds.
-
-6. Move the branch to a tag, e.g., `svn mv .../branches/0.5-release
- .../tags/0.5'.
-
- Note that the branch should not be used for maintenance; it should
- be deleted after the release has been created. A maintenance
- branch (e.g., `.../branches/0.5') should be created from the
- original revision of the trunk (since maintenance releases should
- also be tested first; hence, we cannot have `STABLE=1'). The same
- procedure can then be followed to produce maintenance releases;
- just substitute `.../branches/VERSION' for the trunk.
-
-7. Switch back to the trunk.
-
-8. Bump the version number in `configure.ac' (in AC_INIT).
View
@@ -302,6 +302,18 @@ stdenv.mkDerivation {
</varlistentry>
+ <varlistentry><term><function>builtins.hashString</function>
+ <replaceable>type</replaceable> <replaceable>s</replaceable></term>
+
+ <listitem><para>Return a base-16 representation of the
+ cryptographic hash of string <replaceable>s</replaceable>. The
+ hash algorithm specified by <replaceable>type</replaceable> must
+ be one of <literal>"md5"</literal>, <literal>"sha1"</literal> or
+ <literal>"sha256"</literal>.</para></listitem>
+
+ </varlistentry>
+
+
<varlistentry><term><function>builtins.head</function>
<replaceable>list</replaceable></term>
@@ -343,10 +343,11 @@
<varlistentry><term><option>-I</option> <replaceable>path</replaceable></term>
- <listitem><para>Add a path to the Nix expression search path. See
- the <envar>NIX_PATH</envar> environment variable for details. Paths
- added through <option>-I</option> take precedence over
- <envar>NIX_PATH</envar>.</para></listitem>
+ <listitem><para>Add a path to the Nix expression search path. This
+ option may be given multiple times. See the <envar>NIX_PATH</envar>
+ environment variable for information on the semantics of the Nix
+ search path. Paths added through <option>-I</option> take
+ precedence over <envar>NIX_PATH</envar>.</para></listitem>
</varlistentry>
@@ -6,6 +6,63 @@
+<!--==================================================================-->
+
+<section xml:id="ssec-relnotes-1.5.1"><title>Release 1.5.1 (February 28, 2013)</title>
+
+<para>The bug fix to the bug fix had a bug itself, of course. But
+this time it will work for sure!</para>
+
+</section>
+
+
+<!--==================================================================-->
+
+<section xml:id="ssec-relnotes-1.5"><title>Release 1.5 (February 27, 2013)</title>
+
+<para>This is a brown paper bag release to fix a regression introduced
+by the hard link security fix in 1.4.</para>
+
+</section>
+
+
+<!--==================================================================-->
+
+<section xml:id="ssec-relnotes-1.4"><title>Release 1.4 (February 26, 2013)</title>
+
+<para>This release fixes a security bug in multi-user operation. It
+was possible for derivations to cause the mode of files outside of the
+Nix store to be changed to 444 (read-only but world-readable) by
+creating hard links to those files (<link
+xlink:href="https://github.com/NixOS/nix/commit/5526a282b5b44e9296e61e07d7d2626a79141ac4">details</link>).</para>
+
+<para>There are also the following improvements:</para>
+
+<itemizedlist>
+
+ <listitem><para>New built-in function:
+ <function>builtins.hashString</function>.</para></listitem>
+
+ <listitem><para>Build logs are now stored in
+ <filename>/nix/var/log/nix/drvs/<replaceable>XX</replaceable>/</filename>,
+ where <replaceable>XX</replaceable> is the first two characters of
+ the derivation. This is useful on machines that keep a lot of build
+ logs (such as Hydra servers).</para></listitem>
+
+ <listitem><para>The function <function>corepkgs/fetchurl</function>
+ can now make the downloaded file executable. This will allow
+ getting rid of all bootstrap binaries in the Nixpkgs source
+ tree.</para></listitem>
+
+ <listitem><para>Language change: The expression <literal>"${./path}
+ ..."</literal> now evaluates to a string instead of a
+ path.</para></listitem>
+
+</itemizedlist>
+
+</section>
+
+
<!--==================================================================-->
<section xml:id="ssec-relnotes-1.3"><title>Release 1.3 (January 4, 2013)</title>
View
@@ -15,7 +15,7 @@
using namespace nix;
-void doInit()
+void doInit()
{
if (!store) {
try {
@@ -237,32 +237,35 @@ SV * derivationFromPath(char * drvPath)
doInit();
Derivation drv = derivationFromPath(*store, drvPath);
hash = newHV();
-
- /* TODO: handle drv.outputs */
-
+
+ HV * outputs = newHV();
+ for (DerivationOutputs::iterator i = drv.outputs.begin(); i != drv.outputs.end(); ++i)
+ hv_store(outputs, i->first.c_str(), i->first.size(), newSVpv(i->second.path.c_str(), 0), 0);
+ hv_stores(hash, "outputs", newRV((SV *) outputs));
+
AV * inputDrvs = newAV();
for (DerivationInputs::iterator i = drv.inputDrvs.begin(); i != drv.inputDrvs.end(); ++i)
av_push(inputDrvs, newSVpv(i->first.c_str(), 0)); // !!! ignores i->second
hv_stores(hash, "inputDrvs", newRV((SV *) inputDrvs));
-
+
AV * inputSrcs = newAV();
for (PathSet::iterator i = drv.inputSrcs.begin(); i != drv.inputSrcs.end(); ++i)
av_push(inputSrcs, newSVpv(i->c_str(), 0));
hv_stores(hash, "inputSrcs", newRV((SV *) inputSrcs));
-
+
hv_stores(hash, "platform", newSVpv(drv.platform.c_str(), 0));
hv_stores(hash, "builder", newSVpv(drv.builder.c_str(), 0));
-
+
AV * args = newAV();
for (Strings::iterator i = drv.args.begin(); i != drv.args.end(); ++i)
av_push(args, newSVpv(i->c_str(), 0));
hv_stores(hash, "args", newRV((SV *) args));
-
+
HV * env = newHV();
for (StringPairs::iterator i = drv.env.begin(); i != drv.env.end(); ++i)
hv_store(env, i->first.c_str(), i->first.size(), newSVpv(i->second.c_str(), 0), 0);
hv_stores(hash, "env", newRV((SV *) env));
-
+
RETVAL = newRV_noinc((SV *)hash);
} catch (Error & e) {
croak(e.what());
@@ -258,8 +258,9 @@ close UPLOADLOCK;
# Perform the build.
my $buildFlags =
- "--max-silent-time $maxSilentTime --option build-timeout $buildTimeout "
- . "--fallback --add-root $rootsDir/\$PPID.out --option verbosity 0";
+ "--max-silent-time $maxSilentTime --option build-timeout $buildTimeout"
+ . " --fallback --add-root $rootsDir/\$PPID.out --quiet"
+ . " --option build-keep-log false";
# We let the remote side kill its process group when the connection is
# closed unexpectedly. This is necessary to ensure that no processes
View
@@ -966,7 +966,7 @@ void ExprConcatStrings::eval(EvalState & state, Env & env, Value & v)
since paths are copied when they are used in a derivation),
and none of the strings are allowed to have contexts. */
if (first) {
- isPath = vStr.type == tPath;
+ isPath = !forceString && vStr.type == tPath;
first = false;
}
View
@@ -277,8 +277,10 @@ MakeBinOp(OpConcatLists, "++")
struct ExprConcatStrings : Expr
{
+ bool forceString;
vector<Expr *> * es;
- ExprConcatStrings(vector<Expr *> * es) : es(es) { };
+ ExprConcatStrings(bool forceString, vector<Expr *> * es)
+ : forceString(forceString), es(es) { };
COMMON_METHODS
};
View
@@ -203,7 +203,7 @@ static Expr * stripIndentation(SymbolTable & symbols, vector<Expr *> & es)
es2->push_back(new ExprString(symbols.create(s2)));
}
- return es2->size() == 1 ? (*es2)[0] : new ExprConcatStrings(es2);
+ return es2->size() == 1 ? (*es2)[0] : new ExprConcatStrings(true, es2);
}
@@ -318,7 +318,7 @@ expr_op
{ vector<Expr *> * l = new vector<Expr *>;
l->push_back($1);
l->push_back($3);
- $$ = new ExprConcatStrings(l);
+ $$ = new ExprConcatStrings(false, l);
}
| expr_op CONCAT expr_op { $$ = new ExprOpConcatLists($1, $3); }
| expr_app
@@ -349,7 +349,7 @@ expr_simple
/* For efficiency, and to simplify parse trees a bit. */
if ($2->empty()) $$ = new ExprString(data->symbols.create(""));
else if ($2->size() == 1) $$ = $2->front();
- else $$ = new ExprConcatStrings($2);
+ else $$ = new ExprConcatStrings(true, $2);
}
| IND_STRING_OPEN ind_string_parts IND_STRING_CLOSE {
$$ = stripIndentation(data->symbols, *$2);
View
@@ -1107,6 +1107,21 @@ static void prim_unsafeDiscardOutputDependency(EvalState & state, Value * * args
}
+/* Return the cryptographic hash of a string in base-16. */
+static void prim_hashString(EvalState & state, Value * * args, Value & v)
+{
+ string type = state.forceStringNoCtx(*args[0]);
+ HashType ht = parseHashType(type);
+ if (ht == htUnknown)
+ throw Error(format("unknown hash type `%1%'") % type);
+
+ PathSet context; // discarded
+ string s = state.forceString(*args[1], context);
+
+ mkString(v, printHash(hashString(ht, s)), context);
+};
+
+
/*************************************************************
* Versions
*************************************************************/
@@ -1234,6 +1249,7 @@ void EvalState::createBaseEnv()
addPrimOp("__stringLength", 1, prim_stringLength);
addPrimOp("__unsafeDiscardStringContext", 1, prim_unsafeDiscardStringContext);
addPrimOp("__unsafeDiscardOutputDependency", 1, prim_unsafeDiscardOutputDependency);
+ addPrimOp("__hashString", 2, prim_hashString);
// Versions
addPrimOp("__parseDrvName", 1, prim_parseDrvName);
View
@@ -168,11 +168,10 @@ static void initAndRun(int argc, char * * argv)
remaining.clear();
/* Process default options. */
- int verbosityDelta = lvlInfo;
for (Strings::iterator i = args.begin(); i != args.end(); ++i) {
string arg = *i;
- if (arg == "--verbose" || arg == "-v") verbosityDelta++;
- else if (arg == "--quiet") verbosityDelta--;
+ if (arg == "--verbose" || arg == "-v") verbosity = (Verbosity) (verbosity + 1);
+ else if (arg == "--quiet") verbosity = verbosity > lvlError ? (Verbosity) (verbosity - 1) : lvlError;
else if (arg == "--log-type") {
string s = getArg(arg, i, args.end());
setLogType(s);
@@ -219,8 +218,6 @@ static void initAndRun(int argc, char * * argv)
else remaining.push_back(arg);
}
- verbosity = (Verbosity) (verbosityDelta < 0 ? 0 : verbosityDelta);
-
settings.update();
run(remaining);
View
@@ -43,6 +43,12 @@
#include <sched.h>
#endif
+/* In GNU libc 2.11, <sys/mount.h> does not define `MS_PRIVATE', but
+ <linux/fs.h> does. */
+#if !defined MS_PRIVATE && defined HAVE_LINUX_FS_H
+#include <linux/fs.h>
+#endif
+
#define CHROOT_ENABLED HAVE_CHROOT && HAVE_UNSHARE && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) && defined(CLONE_NEWNS)
#if CHROOT_ENABLED
@@ -2281,7 +2287,7 @@ void DerivationGoal::computeClosure()
}
/* Get rid of all weird permissions. */
- canonicalisePathMetaData(path);
+ canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1);
/* For this output path, find the references to other paths
contained in it. Compute the SHA-256 NAR hash at the same
@@ -2343,13 +2349,15 @@ Path DerivationGoal::openLogFile()
{
if (!settings.keepLog) return "";
+ string baseName = baseNameOf(drvPath);
+
/* Create a log file. */
- Path dir = (format("%1%/%2%") % settings.nixLogDir % drvsLogDir).str();
+ Path dir = (format("%1%/%2%/%3%/") % settings.nixLogDir % drvsLogDir % string(baseName, 0, 2)).str();
createDirs(dir);
if (settings.compressLog) {
- Path logFileName = (format("%1%/%2%.bz2") % dir % baseNameOf(drvPath)).str();
+ Path logFileName = (format("%1%/%2%.bz2") % dir % string(baseName, 2)).str();
AutoCloseFD fd = open(logFileName.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0666);
if (fd == -1) throw SysError(format("creating log file `%1%'") % logFileName);
closeOnExec(fd);
@@ -2364,7 +2372,7 @@ Path DerivationGoal::openLogFile()
return logFileName;
} else {
- Path logFileName = (format("%1%/%2%") % dir % baseNameOf(drvPath)).str();
+ Path logFileName = (format("%1%/%2%") % dir % string(baseName, 2)).str();
fdLogFile = open(logFileName.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0666);
if (fdLogFile == -1) throw SysError(format("creating log file `%1%'") % logFileName);
closeOnExec(fdLogFile);
@@ -2831,7 +2839,7 @@ void SubstitutionGoal::finished()
return;
}
- canonicalisePathMetaData(destPath);
+ canonicalisePathMetaData(destPath, -1);
worker.store.optimisePath(destPath); // FIXME: combine with hashPath()
View
@@ -659,7 +659,10 @@ void LocalStore::collectGarbage(const GCOptions & options, GCResults & results)
increase, since we hold locks on everything. So everything
that is not reachable from `roots'. */
- if (state.shouldDelete) createDirs(state.trashDir);
+ if (state.shouldDelete) {
+ if (pathExists(state.trashDir)) deleteGarbage(state, state.trashDir);
+ createDirs(state.trashDir);
+ }
/* Now either delete all garbage paths, or just the specified
paths (for gcDeleteSpecific). */
Oops, something went wrong.

0 comments on commit bdd4646

Please sign in to comment.